diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2009-06-26 11:28:52 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2009-06-26 11:28:52 +0000 |
commit | 710c1c34d1e81cfae1c1a86f188d911af300daad (patch) | |
tree | ea0faba98add8325438b512fa2e1fc61a38656a4 /crypto/x509 | |
parent | e16818108f2fb851930789f29622c0cb2d574398 (diff) |
Allow checking of self-signed certifictes if a flag is set.
Diffstat (limited to 'crypto/x509')
-rw-r--r-- | crypto/x509/x509_vfy.c | 7 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.h | 3 |
2 files changed, 7 insertions, 3 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index dd4065b0ce..200a9cc0b6 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1610,10 +1610,11 @@ static int internal_verify(X509_STORE_CTX *ctx) { ctx->error_depth=n; - /* Skip signature check for self signed certificates. It - * doesn't add any security and just wastes time. + /* Skip signature check for self signed certificates unless + * explicitly asked for. It doesn't add any security and + * just wastes time. */ - if (!xs->valid && xs != xi) + if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) { if ((pkey=X509_get_pubkey(xi)) == NULL) { diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 0df76db849..4e73806adc 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -387,6 +387,9 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000 /* Delta CRL support */ #define X509_V_FLAG_USE_DELTAS 0x2000 +/* Check selfsigned CA signature */ +#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 + #define X509_VP_FLAG_DEFAULT 0x1 #define X509_VP_FLAG_OVERWRITE 0x2 |